In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Friday, May 30, 2008

With Storm's recent SQL injection and introduction of several new domains within, the very latest additions to their domain portfolio are the following domains (naturally in a fast-flux provided by already infected hosts) hosting pharmaceutical scams :

All of the domain's DNS entries are set to update every 2 minutes, meaning they every 2 minutes another 20 different and infected IPs will be hosting the domains, which on the other hand logically have identical WHOIS entry records :

It's also worth pointing out how they emphasize on the benefits of SSL based transactions, when none of the sites is supporting SSL, but is doing something a great number of phishers do - they've changed the favicon to a key lock looking one, since maintaining a SSL infrastructure on the infected hosts is both, unpragmatic, and a bit unnecessary if they social engineer the visitor :

"SSL Encryption or Https is a technique used to safeguard private information which is sent via Internet. To prove the site's legitimacy, the SSL encryption uses a PKI (Public Key Infrastructure) - public/private key, to encrypt IDs, documents, or messages to securely transmit the information in the World Wide Web. In order to show that our transmission is encrypted, most browsers will display a small icon that would look like a pad "lock" or a key and the URL begins with "https" instead of "http". SSL Encryption or https from a digital certification authority will helps the secure web site with confidential information on web. "

Two days ago in a show off move, the Kryogenics team managed to change the DNS records of Comcast.net, and consequently, redirect traffic to third-party servers, which in this incident only served a defaced-looking like page, and denied email services to Comcast's millions of email users for a period of three hours.

The message they appear to have left at the first place, is actually hosted on third-party servers and reads :

The hacked page was loading from the following locations :freewebs.com/buttpussy69freewebs.com/kryogeniks911defiants.net/hacked.htmlComcast's comments :"Last night users attempting to access Comcast.net were temporarily redirected to another site by an unauthorized person," he says. "While that issue has been resolved and customers have continued to have access to the Internet and email through services like Outlook, some customers are currently not able to access Comcast.net or Webmail." Douglas says that network engineers continue to work on the issue. "We believe that our registration information at the vendor that registers the Comcast.net domain address was altered, which redirected the site, and is the root cause of today's continued issues as well," he says. "We have alerted law enforcement authorities and are working in conjunction with them."

Network Solutions comments :"Somebody was able to log into the account using the username and password. It was an unauthorized access," said spokeswoman Susan Wade. "It wasn't like somebody hacked into it. The Network Solutions account was not hacked. "They ping us and say this is my domain and say, 'I'd like to reset my password,'" Wade said. "It could have been compromised through e-mail. They could have gotten it if they acted as the customer. We're not clear."

"Pinging a domain registrar" has been around since the early days of the Internet, and it's obviously still possible to socially engineer one in 2008. A recently released ICANN advisory on the topic of registrar impersonation phishing attacks provides a decent overview of the threat, and in Comcast's case, I think someone impersonated Comcast in front of Network Solutions compared to the other way around, namely someone phished the person possessing the accounting data at Comcast, by making them think it's Network Solutions contacting them.

With Comcast.net now back to normal, the possibilities for abusing the redirected traffic given that the content was loading from web sites they controlled are pretty evident. And despite that there are speculations the hijack is courtesy of the BitTorrent supporters, in this case, the motivation behind this seem to have been to prove that it's possible.

Tuesday, May 27, 2008

It's been a while since we've last witnessed malware attacks using zero day vulnerabilities, and the latest one exploiting a zero day in Adobe's flash player is definitely worth assessing. The current malware attack has been traced back to Chinese blackhats, who are using a zero day to infect users with password stealers, moreover, one of the domains serving the Adobe zero day has been sharing the same IP with four of the malware domains in the recent waves of massive SQL injection attacks, indicating this incident and the previous ones are connected. According to Symantec :

"Preliminary investigation suggests that the DeepSight honeynet may also have captured this attack. We are looking into this further. Currently two Chinese sites are known to be hosting exploits for this flaw: wuqing17173.cn and woai117.cn. The sites appear to be exploiting the same flaw, but are using different payloads. At the moment these domains do not appear to be resolving, but they may come back in the future. Network administrators are advised to blacklist these domains to prevent clients from inadvertently being redirected to them. Avoid browsing to untrustworthy sites. Also, consider disabling Flash or use some sort of script-blocking mechanism, such as NoScript for Firefox, to explicitly allow SWFs to run only on trusted sites. "

Let's assess the campaign using the Adobe Flash Player SWF File Unspecified Remote Code Execution Vulnerability. At count18.wuqing17173.cn/click.aspx.php (58.215.87.11) the end user is receiving a look looks like a 404 error message, however, within the 404 message there's a great deal of information exposing the exploits location and participation domains, which you can see attached in the screenshot above. In between several obfuscations we are finally able to locate the exploits serving host, as there are multiple exploits this particular campaign is taking advatange of, in between the Adobe Flash Player one :

Let's get back to the second domain which is not returning a valid 403 error forbidden message, woai117.cn (221.206.20.145) which has also been sharing the same IP with kisswow.com.cn; qiqi111.cn; ririwow.cn; wowgm1.cn, among the domains used in the ongoing SQL injection attacks. Once the binary located at woai117.cn /bak.exe was obtained and sandboxed, it tried to download more malware by accessing woai117.cn /kiss.txt with the following binaries already obtained, analyzed and distributed among AV vendors :

117276.cn /1.exe117276.cn /2.exe117276.cn /3.exewoai117.cn /bing.exe

Detection rates for the exploit, the obfuscations and the malware binaries obtained :

"Flashblock is an extension for the Mozilla, Firefox, and Netscape browsers that takes a pessimistic approach to dealing with Macromedia Flash content on a webpage and blocks ALL Flash content from loading. It then leaves placeholders on the webpage that allow you to click to download and then view the Flash content. "

It could have been worse, as "wasting a zero day exploit" affecting such ubiquitous player such as Adobe's flash player for infecting the end users with a rather average password stealer is better, than having had the exploit leaked to others who would have have introduced their latest rootkits and banker malware.

UPDATE - 5/28/2008

Consider blocking the following domains currently serving the malicious flash files :

UPDATE - 5/29/2008Zero day or no zero day? It appears that the exploit used in this campaign is an already known one, namely CVE-2007-0071, and this has since been verified by multiple parties who were assessing the incident. Some related comments :

Flaw Watch: Why Adobe Flash Attacks Matter"Thursday, however, Symantec backtracked after Adobe released a statement denying that the matter concerned a new flaw. In a progress report posted to the official Adobe PSIRT blog, David Lenoe said the exploit "appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0." In an update to that blog entry, he said Symantec had confirmed that all versions of Flash Player 9.0.124.0 are not vulnerable to the exploits. Symantec Senior Researcher Ben Greenbaum acknowledged the flaw was previously known and patched by Adobe April 8, though the Linux version of Adobe's stand-alone Flash Player version 9.0.124 was indeed vulnerable to the attack."Potential Flash Player issue - update"We've just gotten confirmation from Symantec that all versions of Flash Player 9.0.124.0 are not vulnerable to these exploits. Again, we strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0. To verify the Adobe Flash Player version number, access the About Flash Player page, or right-click on Flash content and select “About Adobe (or Macromedia) Flash Player” from the menu. Customers using multiple browsers are advised to perform the check for each browser installed on their system and update if necessary. Thanks to Symantec for working very closely with us over the last 2 days to confirm that this is not a zero-day issue, and to Mark Dowd and wushi for originally reporting this issue. "More information on recent Flash Player exploit"This is not a zero-day exploit. Despite various reports that have been circulating, the Flash Player Standalone 9.0.124.0 and Linux Player 9.0.124.0 are NOT vulnerable to the exploits discussed in conjunction with the previously disclosed vulnerability Symantec posted on 5/27/08. Symantec originally believed this to be a zero-day, unpatched vulnerability, but as their latest update on their Threatcon page indicates, they have now confirmed this issue does not affect any versions of Flash Player 9.0.124.0."Followup to Flash/swf stories"On closer examination, this does not appear to be a "0-day exploit". Symantec has updated their threatcon info, as well. We have yet to see one of these that succeeds against the current version (9.0.124.0), if you find one that does, please let us know via the contact page."

Why was the possibility of finding one that succeeds against the current version of Flash considered in ISC's post? Because with no samples distributed by Symantec verifying the zero day, the way the exploit serving flash files were generated at the malicious domains on a version basis (WIN%209,0,115,0ie.swf for instance), and with everyone trying to figure it out in order to obtain the malicious flash file for the latest version in order to verify its zero day state, this timeframe resulted in the delay of assessing the real situation.

According to the latest report from the Phishtank, a great resource for OSINT data, five IPs were hosting 6547 phishing campaigns in April, all of which are courtesy of the Asprox botnet, a botnet that despite being actively sending phishing emails for the last couple of months, received more publicity for its introduction of SQL injection capabilities, like the ones I've assessed in a previous post. The IPs in question :

212.174.25.24162.233.145.45218.92.205.24685.105.182.6212.0.85.6

Where's the connection? It's in the historical domains that used to respond to the IPs, in the Asprox case, a great deal of the original domain names used a couple of months ago are still in a fast-flux and further expose and connection between these IPs and Asprox. For instance, 62.233.145.45, is known to have been hosting xml52.com; www5.yahoo.american-greeting.ca.xml52.com; yahoo.americangreeting.ca.www05.net; bendigobank.com.au.tampost5.ws; among the domains used in some of the previous phishing domains. The rest of the IPs are also known to have participated in the fast-flux, and therefore, as long as they remain using some of their old domains, and fast-flux them in a way that can be compared to the data from previous months, monitoring the prevalence of Asprox phishing campaigns and making the connection between a phishing campaign and the botnet, would remain easy to do.

Monday, May 26, 2008

Another SQL injection attack was spotted in the wild during the last couple of hours, and while it continues remaining active, surprisingly, the malicious domain is not in a fast-flux. As I've already pointed out, the upcoming SQL injection attacks for the next couple of months, will be primarily executed by copycats, where among the few differentiation factors left is increasing the survivability of the domain.

In the particular attack, the injected domain chliyi.com /reg.js loads an iFrame to chliyi.com /img/info.htm where a VBS script attempts to execute by exploiting MDAC ActiveX code execution (CVE-2006-0003), whose detection rate is 1/32 (3.13%) and is detected as Mal/Psyme-A. Approximately, 8,900 sites have been affected.

A new issue of the Hakin9 - Hard Core IT Security Magazine is "in the wild", and since the editorial staff has been kind enough to provide me with issues of the magazine for a while now, in this post I'll review the latest issue with the idea that constructive confrontation leads to the best output achievable.

There are many different ways to review a magazine, however, I'm always sticking to the following critical success factors for a quality magazine :

- The presence of a visionWhile a vision is often taken for granted, or even worse, a mission gets misunderstood for a vision, in Hakin9's case the vision could be perhaps best rephrased as "Spoiling the geeks who beg for a nerdy talk to them".

- Content quality

The magazine truly delivers what it promises, namely, hardcode content in sections such as tools review, basics, attack, defense, book reviews, consumers test, and interviews. And whereas the key topic in this issue is LDAP cracking, I really enjoyed the Javascript obfuscation article, with the practical examples provided. A bit ironic, the issue is also reviewing a commercial source code obfuscator, which just like legitimate anti-piracy tools used by malware authors to make their binaries harder to analyze, can also be abused for malicious purposes.

- Relevance of informationThe information provided in the articles is highly relevant, and timely, lacking any retrospective approaches and focusing on current and emerging threats only. The same goes for the extensive external resources provided, emphasizing on the importance of self-education.

- Layout

Very well structured, and so far I haven't come across an article where the images weren't syndicated the way they should be, for instance the figures mentioned on a certain page, are the same figures available at that page. Three differentiation points make a very good impression, the level of difficulty for the article, what you should know before reading it in order to understand it, and what you will know after reading it, which you can find at the end of every article.

- Visual materialsThe surplus of visual materials is perhaps what won me as a reader from the first moment. In fact, the issues are so rich on visual material illustrating the topic covered in such details, that you can actually take entire sniffing, and javascript obfuscation sessions offline with you, and never ever have to picture the output of a certain process in your mind again.

- Ads

Highly targeted, and primary security related, and best of all, very well spread across the magazine, so you're exposed to more content than ads.

Overall, the magazine successfully delivers what it promises to deliver - hardcode technical content from the geeks, for the geeks. Informative reading!

Digitally ugly for sure, the point is that this malware campaign has been spreading pretty rapidly over MSN and AIM as of recently, and with its success rate so efficiently infecting new hosts, that going through chat logs indicates the botnet master's will to stop spreading it as there are simply too many hosts getting infected faster than he had anticipated at the first place. Ironic, but a perfect example of what happens once the entry barriers into a certain market segment of the IT underground have been lowered to the stage where, it's not about having the capabilities, but the motive to embrace the success rate, like this case.

Botnet masters are also masters in social engineering. Apparently, the success rate for this campaign is so high due to its social engineering tactic, which in this case is to establish as many touch points with the potential victim as possible, and also, entice clicking on a commonly accepted as harmless .php file followed by the victim's username in a username@hotmail.com fashion.

What you see is not always what you get, especially with more and more droppers requesting other malware with image file extensions, which gets locally saved in its real nature - %Windir%\Media\System.exe for instance.

Friday, May 23, 2008

Bonjour! In a surprising move by the French blackhats, the Icepack web malware exploitation kit has been localized to French, further expanding the list of malware kits localized to foreign languages, and confirming the localization trend (page 18). Localization has been silently taking plance in the IT underground for the last couple of years, and as of recently going mainstream, followed by the localization of such popular web malware exploitation kits such as MPack, Icepack and Firepack, all to Chinese.

The long term impact of localization will improve the communication between those offering malicious services, and those looking for them in their native language. For instance, the sites of certain malicious services are already available in several different languages, and the quality of the translation is courtesy of available translation services provided by native speakers.

Moreover, breaking the language barrier doesn't just expand the market, but also, improves targeting for malware, spam, and phishing campaigns, where a truly professional campaign would speak the native language so naturally, it would leave the receipt with the feeling that it's originating from somewhere within their homeland. In reality though, the malicious parties behind it, or the managed spam providers vertically integrating to offer translations services, would be on the other side of the planet.

Thursday, May 22, 2008

Whereas the value of these malicious domains lies in the historical preservation of evidence, as long as hundreds of thousands of sites continue operating with outdated and unpatched web applications, the list is prone to grow on a daily basis, thanks to copycats and the Asprox botnet. The Shadowserver Foundation's list of malicious domains used in the SQL injection attacks :

Wednesday, May 21, 2008

Following the most recent proprietary web malware exploitation kits, and DIY malware tools found in the wild, this is among the latest malware builders with a special emphasis on spreading from PCs to USB mass storage devices, and from USB mass storage devices to PCs. On 2008/04/28 when a sample generated binary was checked with multiple antivirus scanners, the detection was 2/32 with Panda Security and F-Secure detecting it, according to the seller of the builder.

For the time being, malware authors continue emphasizing on the product concept, namely they build a malware based on their perception of what a malware should constitute of, then start offering it for sale as well as it's source code. In the long-term however, based on the increasing number of malware and spyware coding on demand, malware authors would undoubtedly embrace the customerization concept and start putting more efforts into figuring out what the customer really want compared to their current "built it, price, advertise it" and they'll come mentality.

Moreover, despite the generated buzz over the Zeus banker malware and its copyright notice, Zeus remains publicly available, and so is its source code, placing it under the open-source malware segment. So emphasizing on how malware authors are trying to protect their work is exactly what's not happening right now. Releasing it in open-source form increases its life cycle, and both, the original authors, and the community build around the malware benefit from the new features introduced within.

And now that the most popular web malware exploitation kits are already localized to Chinese due to their open-source nature, making it harder to maintain a decent situational awareness on the new features introduced courtesy of third-party coders, we may that easily see Zeus localized to Chinese as well. It's a trend, not a fad.

"According to Trend Micro Advanced Threats Researcher David Sancho, whitehouse.org has been compromised to harbor some malicious, obfuscated JavaScript code which “background downloads” code to unsuspecting visitors of the site, where a malicious file is downloaded (which is detected by Trend Micro as TROJ_DELF.GKP ). Of course, the official White House Web site is whitehouse.gov, and although it has been reported that some people believe whitehouse.org is the real deal, even those looking for this site specifically should be forewarned."

The malicious domain embedded within the site ad.ox88.info/13.htm (67.15.212.150) is using Mal/ObfJS-AP/Exploit:HTML/AdoStream to serve the malware, whereas the domain itself is using DNS servers known to provide service to malicious domains from previous malware embedded attacks that I've been assessing.

Tuesday, May 20, 2008

The rise of pro-kosovo web site defacement groups was marked in April, 2008, with a massive web site defacement spreading pro-kosovo propaganda. The ongoing monitoring of pro-kosovo hacktivists indicates an ongoing cyberwar between pro-serbian supporting hacktivists successfully defacing Albanian sites, and building up capabilities by releasing a list of vulnerable Albanian sites (remote SQL injections for remote file inclusion, defacements or installing web shells/backdoors) to assist supports into importing the list within their do-it-yourself web site defacement tools.

Where's the malware at pest-patrol.com? In one of these anecdotal cases, the way the people behind these rogue sites use the same template over and over again, and consequently forget to change the rogue software's name, in this case, not only is pest-patrol.com's mail server responding to antispycheck.com, but they've also uploaded a broken template.

Storm Worm related domains which are now down :centerprop.cnapartment-mall.cnstateandfed.cn phillipsdminc.cnapartment-mall.cnbiggetonething.cngasperoblue.cngiftapplys.cngribontruck.cnibank-halifax.comlimpodrift.cnloveinlive.cnnewoneforyou.cnnormocock.cnorthelike.comsupersameas.comthingforyoutoo.cn

One of the domains that is injected as an iFrame is using ns.likenewvideos.com as DNS server, whereas likenewvideos.com is currently suspended due to "violating Spam Policy". Precisely.

Yet another proprietary web malware exploitation kit has been released at the beginning of this month, further indicating that the efficient supply of such kits is proportional to their simplistic nature. The only differentiation factor in the Small Pack is perhaps the inclusion of all known Opera exploits up to version 9.20, however, the rest of the features are the natural ones included in the majority of already known exploitation kits :

Converging infection and distribution vectors, evasion and survivability, metrics and command and control in a single all-in-one web malware exploitation kits is, however, is definitely in the works considering the developments introduced in the rest of the kits currently available. For instance, despite that the ongoing waves of SQL injection attacks with multiple campaigns are injecting the malicious domains in its original form, certain attacks are starting to inject obfuscated URLs making it harder to assess the impact of the campaign using open source intelligence techniques.

The bottom line, as long as webmasters continue participating in the so called "traffic exchange" revenue models, knowingly or unknowingly embedding links that would later on ultimately redirect to a malicious site, "traffic exchange" is receiving the most attention at the strategic level, next to "traffic acquisition" at the tactical level. Basically, the traffic inventory that could be supplied is the direct result of an ongoing SQL injection attack, or malware embedded through other means, with the traffic brokers directly undermining webmaster's unethical inclusion of exploits within their domains portfolio.

One thing's for sure - web malware exploitation kits are not just getting localized, they're also being cloned.

Saturday, May 17, 2008

Four Redmond related web properties appear to have been SQL injected by Chinese hacktivists, namely, Redmond - The Independent Voice of the Microsoft IT Community formerly known as Microsoft Certified Professional Magazine, the Redmond Developer News as well as the Redmond Channel Partner Online.

The lone hacktivist also left a message at the malicious domain (wowyeye.cn), which reads :

“The invasion can not control bulk!!!!If the wrong target. Please forgive! Sorry if you are a hacker. send email to kiss117276@163.com my name is lonely-shadow TALK WITH ME! china is great! f**k france! f**k CNN! f**k ! HACKER have matherland!”

Factual evidence on the emergence of individual phishing kits is starting to appear, with two more available in the wild. So what? For the time being, the lack of communication between the authors of these, or perhaps even the need to is slowing down the adoption of core features that would standardize and create a dynamic all in one phishing campaign C&C.

In the long term, however, features and customizations already adopted by ethical phishing initiatives, would become the default set of features for public, and not the proprietary kits that theoretically should act as the benchmark. As in a previous discussion on the dynamics of the malware industry and the proprietary tools within, lowering the entry barriers into phishing by releasing this applications for free, greatly benefits the more experienced phishers, as the novice market entrants would be the ones making the headlines :

"The DIY phishing kits trend started emerging around August, 2007, with the distribution of a simple kit (screenshots included), whose objective was to make it easy for a phisher already possessing the phishing page, to enter a URL where all the data would be forwarded to. Several months later, the kit went 2.0 (screenshots included) and introduced new preview, and image grabber features in order to make it easier for the phisher to obtain the images to be used in the attack. In early 2008, two more phishing kits made it in the wild, with the first once having direct FTP upload capabilities as well DIY Phishing Kit as automated updating of the latest phishing page, and the second one taking advantage of plugins under a .phish file extension."

"Where’s the enemy, and where’s the enemy’s communications and network infrastructure at the first place? It’s both nowhere, and everywhere, and you cannot DDoS “everywhere”, and even if you waste a decade building up the capability to DDoS everywhere, your adaptive enemy will undermine the resources, time and money you’ve put into the process by avoiding outside-to-inside attacks, and DDoS your infrastructure from inside-to-inside."

Here are related comments on how unnecessary the whole idea is at the first place.

Tuesday, May 13, 2008

The process of localizing open source malware, as well as publicly obtainable web malware explotation kits is continuing to receive the attention of malicious attackers, the Chinese underground in particular. Starting from MPack and IcePack's original localizations to Chinese, the FirePack exploitation kit is the latest one to have been recently localized to Chinese, and the trend is only starting to emerge.

What is prompting Chinese users to translate these kits to their native language anyway? Is it the kit's popularity, success rates, lack of alternatives, or capability matching with the rest of the internaltional underground community? I'd go for the last point.

Monday, May 12, 2008

What is the future of spamming next to managed spamming appliances, like the ones already offered for use on demand? It’s targeted spamming going beyond the segmentation of the already harvested emails on per country basis, and including other variables such as city of residence, employment history, education, spoken languages, to ultimately set up the perfect foundation for targeted spamming and malware campaigns.

The ongoing development of the tool showcases several important key points, namely, how a market share leader's products in a certain region, Korea in this case, often receive the attention of malware authors embedding product-specific DoS attacks within, and also, the fact that the average script kiddies are continuing getting empowered with access to DDoS tools going beyond the average HTTP request flooders and ICMP flooding attacks. Furthermore, realizing the PSYOPs effect that could be created out of the popularity of this DIY malware, a specific Anti CNN version was released during the Anti CNN attack campaigns, and as you can also see, ABC.com is hard coded as an example of a site to be attacked.

From an unrestricted warfare perspective, what is the difference between someone who has on purposely infected themselves with malware to appear as an infected hosts in this malware's C&C, and when traced back as a participant in the DDoS attacks simply states she's been infected with malware, next to those infected hosts who were unknowingly participating in the DDoS attacks? There wouldn't be any.

In a perfect world from a malicious SQL-ers perspective, mom and pop E-shops filling market niches and generating modest but noticeable revenue streams, have their E-shops vulnerable and exploitable to web application vulnerabilities, with their SQL databases available for extraction in an unencrypted form.

In reality, reconnaissance through search engine's indexes to build a hit list of E-shops with a higher probability for exploitation, is what malicious attackers who lack the skills and capacity to build a botnet, even invest money into renting one on demand and collecting the output in the form of credit cards numbers and accounting data, have been doing for the past of couple of years. Moreover, as I've already pointed out and provided relevant examples, it's perhaps even more disturbing to see the automated process of building such hitlists, verifying that they're exploitable, remotely exploiting them by embedding malicious links within their pages, and of this made possible through the use of botnets.

The whole is greater than the sum of its parts, and while some are putting time and efforts into figuring out whether or not a specific vulnerability is exploited, and through the use of which hundreds of thousands web sites again end up injected with automatically loading links to malicious domains, the bad guys are keeping it simple, sometimes way too simple to end up with the most successful and efficient ways to achieve their objectives. Furthermore, waging verbal warfare on whether or not XSS are a greater security risk than currently perceived, is definitely making a lot of malicious attackers out there enjoy the lack of situational awareness of those who are supposed to have a better grasp of what they're up to, not what they might be up to.

The bottom line - from a malicious economies of scale perspective, are massive SQL injections attacks serving malware to a speculated number of hundreds of thousands susceptible to clien-side attacks exploitation site visitors, more effective, than obtaining the low-hanging databases in a site-specific vulnerability manner? Depends entirely on what the bad guys are trying to obtain, access to as many infected hosts as possible to be later on used for phishing, spamming, stepping stones, hosting and distribution of malware and conducting OSINT for corporate espionage by segmenting the infected population into organizations of importance, or access to "the whole" benefits package coming with having a complete access over an Internet connected host.

Friday, May 09, 2008

"Please, don't update your account information", at least not on recently spammed phishing pages which will not only aim at obtaining your accounting data, but will also infect with you malware through exploiting MS06-014. These phishing emails are a great example of blended threats, and while we're been witnessing the ongoing consolidation between phishers, spammers and malware authors for the last two years, this particular phishing campaign looks like a lone gunman operation.

Original message : "Dear valued skype member: It has come to our attention that your skype account informations needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service. However, failure to update your records will result in account suspension. Please update your records on or before May 11, 2008. you are requested to update your account informations at the following link. To update your informations."

Phishing URL : alertskype.freehostia.com, which is then forwarding to skypealert.ns8-wistee.fr/Secure.skype.com/store/member/login.html/Login.aspx/index/Skype.Members/index.htmls/ where the malware and the exploit are hosted.

The phishing page wasn't created, but copied from Skype's original login page. The phisher even left an email within the VBS, in this case - ikbaman@gmail.com. Virtual greed or contact point optimization for fraudulent purposes, passive phishing attacks can sometimes be quite active and leave the curious clicker with a false feeling of security.

In people's information warfare self-mobilization happens consciously, and the anti CNN campaigns perfectly demonstrate this, with an emphasis on how even the non-technical, but Internet bandwidth empowered Chinese user can consciously become a part of a PuppetNet. And while it may also seem logical that the attacking crowds would already be using a well known set of DoS tools, the most recent case demonstrates their capabilities to code and release such DoS tools on demand. For instance, excluding a popular in China DIY malware with custom DDoS capabilities, the rest of the tools were released for this particular campaign.

Key features :- the GUI C&C's objective is to make it easier to control a large number of infected hosts with an interesting option to measure the bandwidth in order to properly allocate it for DDoS attacks- has a built-in dropping capability for backdooring the already infected hosts through a web shell- has a built-in dropping capability of several exploits onto the infected hosts in order to use the infected hosts as infection vectors, a malicious infrastructure on demand- intranet and Internet port scanning

Using a DIY malware kit as a dropper of exploits onto infected hosts, who would later on be used as infection vectors to increase the botnet's population is a new approach applied by the Chinese underground. In comparrison, following an underground's lifecycle, the Chinese one is still more features-centered compared to the Russian one for instance, where once features become a commodity, more emphasis is put into quality assurance and extending the lifecycle of the malware by ensuring it remains undetected for as long as possible - the product concept vs the rootkit stage.

Wednesday, May 07, 2008

Among the very latest victims of a successful blackhat SEO campaign that has managed to inject and locally host 1,370 pharmaceutical pages, is the Millennium Challenge Corporation (mcc.gov) - a United States Government corporation designed to work with some of the poorest countries in the world.

The injected pages are loading remote images from what looks like a secondary compromised site, in this case ttv-bit.nl which is a legitimate Dutch table tennis association. Compared to previous blackhat SEO campaigns that I've assessed in the past taking advantage of redirection only, the layout of the embedded pages in this one is sticking the remotely loading images at the top of the page, and placing the original at the bottom.

With a recently distributed database of several thousand YouTube user names, spammers continue trying to demonstrate their interest in establishing as many contact points with potential receipts of their message, or even malware given the harvested user names database ends up in someone else's hands.

Building such "hitlists" of end points to be spammed, or served malware, is setting up the foundations for the success of popular tools used for spamming video and social networking sites, efficiently, and with a very low degree of unsuccessful attempts to deliver the message. Moreover, these developments seem to indicate an emerging trend of building databases that would later one be efficiently abused, starting from the Thousands of IM Screen Names in the Wild uncovered in October, 2007, and going to the spamming of Skype users.

Direct applicability for spamming and malware campaigns, or a bargain for finalizing a deal, databases of any kind are prone to be abused in principle, and it's malicious parties in general I'm refering to in this case.

Tuesday, May 06, 2008

What is the most efficient and cost-effective way of both, measuring your employees awareness of phishing threats, and building awareness of the threat simultaneously? By sending them ethical phishing emails to see which department based on which social engineering campaign is more susceptible to phishing attacks, at least that's what PhishMe.com is all about :

"Effective, memorable, and secure user awareness testing and training is now available with just a few clicks. Using PhishMe.com’s built-in templates and WYSIWYG functionality, you can emulate real phishing attacks against your employees within minutes. Focus your training efforts on the most susceptible employees by providing immediate feedback to anyone that falls victim to these exercises. Phish your employees before hackers do!"

Once watching the demo online, you'll get the feeling that it's actually a real phisher's web interface to spamming out phishing emails, so I guess the bad guys can in fact learn from the good guys standardizing approach and metrics mentality applied.

Or perhaps a public leak, given that someone out there might have already came up with such an interface, without the sexy layout? And by the time there hasn't been a release or a leak, spamming tools would continue getting adapted for phishing purposes, and log parsers would be a phisher's best friend in respect to evaluating the success rate of a phishing campaign.